CQURE Academyhttps://cqureacademy.com
Where Windows Hackers Level UpWed, 21 Feb 2018 12:55:22 +0000en-UShourly1https://wordpress.org/?v=4.9.4“Anyone can get hacked” – Forbes Interview with Paula Januszkiewiczhttps://cqureacademy.com/blog/forbes-interview-paula-januszkiewicz
Thu, 14 Dec 2017 15:50:01 +0000http://cqureacademy.com/?p=3356How hackers choose the bright or the dark side, what the global cybersecurity community thinks about the Russian hackers and how to become one yourself. Hackers are conventionally divided into “white” and “black”: the first legally check IT systems, the second break into them to steal information. Forbes spoke to Paula Januszkiewicz, one of the […]

]]>How hackers choose the bright or the dark side, what the global cybersecurity community thinks about the Russian hackers and how to become one yourself.

Hackers are conventionally divided into “white” and “black”: the first legally check IT systems, the second break into them to steal information. Forbes spoke to Paula Januszkiewicz, one of the “white” hackers who created her own cybersecurity company — CQURE.

Aleksandr Baulin, Forbes: What’s your day like? Do you come to the office every day and work until the evening? Or can you choose the time and place to work?

Paula Januszkiewicz, CQURE: I would like to choose a place to work, but I can’t. Technically it’s possible, but my role in the company requires my physical presence by the customer. Therefore, I am always on the road, I visit different countries. To conduct an internal pentest, you have to come to the customers. The external pentest can be carried even from a beach.

How do you conduct a pentest (test of IT system’s security against unauthorized intrusions)? Do you choose the time for cyberattacks? Or can you test the company anytime and anywhere? Is testing an exceptionally technical issue?

In the end, it all comes down to technology, but there are nuances. For example, if a client does not work at night, it will be the best time to conduct a test. When we do remote pentests for companies from the US, we can work throughout their night, because it’s daytime in Europe, and that’s fine. As a rule, we prefer a normal working day — it’s easier and everyone is happy. We do not like to work all night, but it happens.

Often we test a copy of a site or service. For example, recently we did a pentest of customers applications for one bank. We had to work with a copy of the system, because the site had a huge traffic. And if there are problems with the test, this will negatively affect the bank’s image.

Do you have customers who ask you to make real pentests in real time?

Yes of course. Sometimes we do it on a normal working day. The client is warned about it, and is “on standby”. If something happens, we immediately get in touch, they are waiting for us to call and sort out the situation. Once, when testing in real time, we “dropped” the site, because the server could not cope with so many requests at once. By the way, it was one of the companies cooperating with the Russian enterprises in the oil industry. The customer was shocked, they didn’t understand how this could happen. Anything can happen. Our goal is not to “break” the site, but to show its weak points, vulnerable for an attack.

Do you always need to carry out both tests, the internal and the external one?

Depends on the circumstances. Some customers do not want to do a penetration test from within the company: “No, no, because you can hack us.” And we think: “My God, what’s the point of doing a pentest?” In such cases, we do only an external test. Personally, I don’t think it’s the right approach: why not make an internal test, if doing an external test? We try to explain it, but…

How to become a hacker

When did you become interested in this profession?

I have always worked in the field of security, but I became who I am today gradually. I was responsible for the safety of the school network when I was 17. I did not really understood what I was doing, but I really wanted to do Information Security Engineering. I was trying to find my own way. You see, when you’re 17 years old, it is difficult to understand what is worth doing and what is not. There is only what you want to do. But whether the choice was good for my future… I didn’t know it back then.

And we don’t know what will happen to us tomorrow.

Indeed.

What is the first operating system you hacked into? Ok, tested for vulnerability.

There were two of them — Windows and Linux.

“Windows was the first system I hacked.” This would be a good headline…

At that time, Windows and Linux used different security systems. It was the time of “NT4.0” [Windows operating system, published in 1996 — Forbes]. Back then everyone knew that if you do not change a certain parameter, the computer will be hacked. Finding vulnerabilities was easier. Now hacker attacks have taught us to defend ourselves, so we are in a somewhat better position.

Which OS is better and safer: Windows, MacOS, Linux?

In the end, the most important is what the system means to the business. The most used operating system is Windows, we all know it. For Mac and Linux, there are extortion programs, too. They just get into the system differently. The difference is in the availability of solutions. The question is whether there are companies that can protect your system. It is not necessary to create a real threat to information security, but checking the security infrastructure will improve this security and minimize the risk of penetration into your systems.

What can you say about the level of security B2B-systems in the world? Are they ready for cyberattacks?

Absolutely every time we make a pentest, we get into the system, we crack it. You can hack anyone.

And this is not surprising. There’s not enough education in that matter. Adequate training for security professionals simply does not exist. Of course, there are some courses, trainings and so on, but even if you pay for a university, there is no direct road to cybersecurity. Besides, not everyone can afford to study, and how can you become a good specialist without the right education?

But no one will give you education for free, because this is very specific knowledge. It’s a niche. The Financial Times predicts that by 2019 the world will need 6 million information security specialists, but with modern growth rates, the market will only have approximately 4 to 5 million of experts available. So for the guys who will be on the market, the situation is wonderful. Everybody needs them. And they will need them even more, but this, of course, is an unhealthy situation. The world needs more experts.

The cybersecurity engineer is the profession of the future?

Yes.

Then what is the best way to learn it if the universities do not prepare you properly? Online courses?

There are many free resources, but of course systematized knowledge is preferable. There are many different online courses. They are not expensive. But the problem is that they teach you more about hacking techniques. And these are the so-called “cheap tricks”. And besides, they train you in not very realistic environments. In my opinion, the best way is to independently train specialists. And this, for example, is what our team is doing.

We do this because we have a shortage of employees. There are more and more projects, and we postpone them, postpone, because there is no time. We hire people with a good approach to work. This is enough to get amazing results. Everything else will follow. We test them in different directions, we send them to our engineers, we often take them to our master classes, and then we perform tests again — they should develop. These students have the opportunity to travel. Or, for example, when we hold a five-day master class, a new employee can become an additional participant.

A good option for young people is to get into a company like ours. But in the security sector, you need to make serious investments in order to later provide a fantastic service. Therefore, payment may look different, but it’s normal. We train on a contract-basis, with a guarantee fee. Later, you will return the money for training, but you will have the opportunity for 2-3 years to work in a good team, to take trainings, to receive useful tools, knowledge, to see real environments, to help the team whenever possible. At the same time, we take a deposit for tuition. And this is the only possible option, in my opinion.

We cannot invest in an employee, and risk that they will later say: “Okay, thank you, goodbye.” To keep a person in the company, you need to educate them, help them form the most valuable skills and have them stay. But this is only my opinion.

How many people are working in your company today?

It depends on how to count. We have 20 people in the house and 36 contractors. But the contractors work for us a few weeks every month. So almost like a full-time job.

And how many young employees?

About 30, so about a half. We train these people, because some of them have absolutely no experience.

Do you hire them right after the university?

Yes. And it’s terrible. Because up to a certain point it is not clear who you are dealing with. It looks alright, and then… The younger generation has a terrible reputation, and we are not very happy about it. Therefore, we choose only those who fit into the team. We made a mistake twice.

Do you have employees from Russia?

Not yet. But we are now opening up to new markets, because we see the potential there. So, who knows, maybe we will have someone from Russia on our team.

We hear almost every day about cyberattacks involving Russian hackers. Russians allegedly attacked Trump, Yahoo… Are Russian hackers really so clever and in demand as outsourcers? Or is it just labels and media misconceptions?

No, this is true. You have a high level of knowledge in this field. Many hackers are indeed from Russia. I think — but it’s only my opinion — that difficulties in finding employment for people living in remote cities contributes to this. They find it easier to find a remote job than an office one: you can be a developer, or you can be a pentester. This position allows you to work remotely from anywhere, because security is important to so many. If you want to work as a consultant, you will have to travel or relocate to Moscow, Krasnodar, St. Petersburg and other cities where customers’ companies are located.

We see this situation in many countries. For example, in Romania there is a fairly remote city of Cluj — this is the place of developers and security experts. In our country there is something like that. Oh my God! It is fantastic. You can work from anywhere in the world. In general, according to statistics, people from Russia have a high level of intelligence and analytical thinking. Russians are great fellows.

The “dark side” hackers — are they good?

Both “dark side” and “bright side”. The thing is that if you have high qualifications, you can earn more money. And then the ethical issues are of great importance. These two factors determine the choice: if a person sees a potential income and does not have problems with ethical principles, then he has two ways.

You are a founder and owner of a company. Why did you become a member of the Microsoft MVP program? Does this not impose any obligations on you? What kind of benefits do you have from it?

I participated in various public projects — from sending out presentations and research on the results of conferences to various master classes and organizing events. For example, I organized Woman in Technology Park, now I do not have time for that. Then it went into speaking at conferences and preparing articles for blogs — it can be done remotely.

Thanks to the status of MVP [assigned to outstanding IT professionals who make an intellectual contribution to the development of technical communities — Forbes] and participation in security programs, I have access to the source code of Windows. It’s not 100% of the code, of course. I received it during the release of Windows XP, that is, about 8 or 9 years ago. Perhaps this gives my company more advantages, because we can always test our hypotheses, while other experts have it more difficult. This is the most pleasant thing.

Imagine that all cybersecurity problems get magically solved. What would you do?

I’d chill on a beach. But seriously — an interesting question. What would be my second profession? Most likely, I would continue to work in IT. But, if absolutely all the problems in IT were solved, I would probably turn to mathematics, because it is an analytical and strict science. Most likely, I would be selling something somewhere, doing transactions, because I like mathematics. Somewhere on Wall Street.

If you want to read the original interview (written in Russian), click HERE.

Tools

CQMasterKeyAD (CQTools)

Allows decryption of DPAPI protected data by leveraging usage of the private key stored as a LSA Secret on a domain controller (we have called it a ‘backup key,’ and it is a key corresponding to the backup public key stored in the domain user’s profile). The backup key allows decrypting literally all of the domain user’s secrets (passwords / private keys/information stored by the browser). In other words, someone who has the backup key is able to take over all of the identities and their secrets within the whole enterprise. Tool represents CQURE’s breakthrough DPAPI discovery.

CQDPAPINGPFXDecrypter (CQTools)

Leverages DPAPI-NG used in the SID-protected PFX files and when with the previous tool CQURE Team is able to get access to user’s secrets, here it is a bit different! The tool allows to decrypt SID-protected PFX files even without access to user’s password but just by generating the SID and user’s token.

CQDPAPIKeePassDBDecryptor (CQTools)

Allows to decrypt KeePass database by using DPAPI data that is possessed from the domain. It provides access to all users’ KeePass databases and it uses DPAPI data leveraged by CQMasterKeyAD. The tool uses decrypted Master Key of the user in order to decrypt key that encrypts KeePass database. Paula elaborates on how we do this in her talk!

Want the tools she talked about? You can download them below!

CQTools from Black Hat Europe 2017

Hacks Weekly

If you would like to go more into this topic, we have a special Hacks Weekly episode that focuses on our important discovery within Data Protection API NG (New Generation). If you want to learn how to decrypt a password from PFX files and more… click for details!

]]>Protect your name: how to secure DNS servers?https://cqureacademy.com/blog/secure-server/dns-servers
Thu, 30 Nov 2017 14:26:34 +0000http://cqureacademy.com/?p=3261What’s the environment? Before we begin working with the DNSSEC, let me introduce our environment. We have a Windows 10 client machine, which IP address is 10.1.1.101, and it’s set that it’s using the DNS server under IP 10.1.1.1. This is our domain controller for the same domain that is both Windows 10 so it’s […]

Before we begin working with the DNSSEC, let me introduce our environment. We have a Windows 10 client machine, which IP address is 10.1.1.101, and it’s set that it’s using the DNS server under IP 10.1.1.1. This is our domain controller for the same domain that is both Windows 10 so it’s cqure.lab.

We have also on this domain controller the DNS server, which has the zone cqure.lab. We also configured on that DNS server a forward lookup zone. We also configured on this DNS server a conditional forwarder for the domain racoons.lab, and it’s set for the GW01 server with the IP address 10.1.1.254. On this server we have a DNS server that is responding to the racoons.lab.

We also have an attacker’s machine, which is actually KALI LINUX, and the IP address of it is 10.1.1.115. We will be using this machine to host our danger application that will be spoofed by using DNS pro zoning and we will actually use an ARP spoofing to substitute the responses sent from gateway, so from this GW01 server to the SDC, for any requests regarding racoons.lab.

So, whenever the client computer will ask our DNS server for the www.racoons.lab, KALI LINUX machine will try to redirect the traffic by substituting the DNS queries responses to the KALI LINUX IP address instead of going to the safe website, which is on the 10.1.1.1 server. So, let’s see it in an example.

First of all, I will start the service on the KALI LINUX machine and verify what is the IP address of this machine: it’s 10.1.1.113. So, let’s move to the Windows 10 machine. And, first of all, let’s clear anything that was previously used on this machine. Clear the IPconfig and flush DNS.

Now, what I want to do is just simply to start the Internet Explorer. Let’s be in it. And go to http 10.1.1.1, this is the safe website. And, we have the second server, which is KALI LINUX with an unsafe webpage. What I want to get is when I type http www.raccoons.lab I want to get to the safe website. The attackers will try to spoof this and to get the responses redirecting to different server.

Don’t forget to clear the cache

Let’s clear the cache again. Okay, the cache is cleared. Let’s close the browser. So we are sure there’s nothing cached there. And, let’s go to the SDC neutral machine; so it’s our domain controller. On this domain controller, let’s clear the cache and also clear the DNS cache. So I have this command here: it’s clear DNS server cache. Of course, yes, I’m allowing for that.

What else I can do is actually clear the cache on the DNS Manager. So, this is the same as clearing it through the PowerShell. I have here a conditional forwarder that is set to the IP address 10.1.1 254. So each request for racoons.lab is going to this IP address to resolve it.

So, let’s go to that server. Okay, let’s see it. On that server, this is GW01 We have a forward lookup zone, which is racoons.lab, and we have only one entry here for host A that is www, which is pointing to the SDC on which we have the safe webpage.

Okay, so now let’s see what we can do without DNSSEC applied to the servers. First of all, let me show you etc/ettercap/etter.dns. In the DNS configuration for the plug in for the ettercap, which is a very powerful tool, we will have entries for www.racoons.lab. And we have record A and information that this is our IP address of actual LINUX machine. So let’s close it. And let’s start ettercap with graphic user interface. It will be easier to perform it.

Man-in-the-middle attack

First, of all we need to sniff. It will be unified sniffing, on the ethernet 0. Next, let’s see the hosts and let’s scan for the hosts on the network. It’s scanning. It will show me all the hosts that are available right now. So I have the target machine, which is SDC, and the target machine, which is a gateway. I will perform ARP spoofing between those two neutral machines and perform man-in-the-middle attack based on this.

So, I selected the targets, now on the man-in-the-middle attack, I’m using ARP poisoning, sniff remote connections, okay, so it’s started to perform the attack. And, now I want to use the plugins and one of the built-in plugins is DNS spoof. I just enabled it, and the last part is start sniffing. So, whenever I start sniffing here, you see that request for www.racoons.lab will be substituted with actual IP address of the LINUX machine.

So, let’s switch to Windows 10 machine. And now let’s try to resolve the names for www.raccoons.lab. As you can see, this time it’s already 10.1.1.113. So as you can imagine, if I open the Internet Explorer and go to the www.raccoons.lab I will get unsafe webpage. So, basically the DNS spoofing was successful.

Next – enabling the DNSSEC on the gateway

On this computer, I can just simply make DNSSEC and sign the zone. This will generate the keys and of course I can customize everything but for the demo purpose I will just simply use the default setting for signing the zone. This is very simple. It’s creating KSK Key for signing the zone. The algorithm will be RSA-256 with 2 kilobits of key. So, let’s try to do this next.

It’s signing. When I refresh, from my sign here, you will see much more information.

There are entries for RR Signatures for the DNS KEYs that are used for the encryption, for the signing actually for the zone, and we have also here NSEC3 parameters for signing. And for every entry that we have here, for example, www we have also a signature here that is with the information about this particular entry. So, this is the signature in base 64 form for www.racoons.lab.

Okay let’s see, if this is changing anything on our servers. So let’s go first to SDC01. Let’s clear the cache. Okay, the cache was cleared. And let’s now try to resolve the name for the racoons.lab. Okay, still getting the information that the IP address was spoofed. Let’s try to flush DNSSEC and let’s try to do it again.

This time I’m sending information that I’m able to consume the DNSSEC address. In this case, I got nothing. Let’s try to do this against the GW01 Server. Okay, still nothing because I’m substituting the older response from the server GW01 with the responses made by the KALI LINUX.

This is my SDC so let’s flush this one. Yes, and now let’s try to do it again. Yeah. Now I’m getting the correct answer. Let’s try to see what will happen if I use with DNSsecOK the switch.

Now I’m getting additional information about this signature for that entry. I can also ask it directly on that remote server, and I will get also the information about the signature on the server. So, is it preventing me from getting the responses that are not valid? Actually, not yet.

First, let’s try to get the trustAnchor for that zone. To get it, I will query the remote server, okay, for the DNS KEYs. These are the four keys that are used here for actually making a signatures. data, as a dnservertrustsnchor for this zone.

Now, if I go to the trust points on my DNS, let’s see. There is nothing. If I add right now those keys and refresh the trust points, I’m actually getting the entries for the DNS KEYs.

So, let’s try and verify what will happen right now. Still, I do not get additional information without setting the DNSSEC. This is getting me also all the information.

Let’s now try to resolve the name on the server.

So I will close this website. Okay. Close it, just simply flush DNS, and I will ask first, for just racoons.lab; it’s getting the correct response.

If I ask it on the gateway server and say that I want to get DNSSEC, I’m getting the signature. If I try to get it from my local DNS server for this Windows 10 machine from the SDC01, I’m getting also the signature here.

Let’s try to get the signature for the zone that is not signed. There is nothing because cqure.lab is not signed. Okay, so let’s now try to again spoof the DNS responses from KALI LINUX. Let me sign in. Okay, I’m starting again the ARP poisoning. And, again starting sniffing. So, let’s go to SDC, let’s clear the cache and let’s clear the local IPconfig cache of the DNS. Let’s try to do it.

This time I’m getting information about the record server failure because I cannot actually verify the information with the signature that I have a trustAnchor currently. Let’s try to do this with DNSSEC: still not possible.

Let’s try to do it directly on the gateway server. This time, it’s saying okay that was the response directly, which I’m getting from the gateway server. It’s not from the gateway; it’s from the KALI LINUX. So, if I’m trying to ask for the response from gateway. It’s allowing me to get the response.

Let’s do this on the Windows 10 machine.

Now I will try to request for racoons.net again. And the response is actually exactly the same as on the server. So, my DNS server is rejecting the response because it’s not signed with the keys that I have in the trustAnchor.

So, the only last part, which I actually should perform is to enable NRPT policy on my servers. So, I will stop again the DNS spoofing and stop man-in-the-middle attack. And try to do it again on the Windows 10 machine. The requests.

Oops now I’m still getting information that’s not correct one. Let’s try to clear the cache. Let’s verify. Okay, it’s the correct one. It’s getting the signature. Let’s go now to the Windows 10 machine. And now, I can try to get this information again. Now it’s the correct one with the signature. Everything’s good. But usually we are just asking for using the DNS names. Without additional switch for getting the DNSSEC record. There is something called NRPT policy. So, we can assign the domains for which we are enforcing the need to use the DNSSEC. Let’s try to do this.

Assigning the domains

Let’s me go to the SDC. So, let’s clear the cache and right now I will create a group policy that will apply NRPT policy for this actual: create a GPO, “DNSsecPolNRPT”. Okay, let’s edit this policy.

In the policies, in the Windows, in the computer, of course, configuration I have a name resolution policy, and I will add it for the racoons. (Remember: never use a wild card here).

Racoons.lab. Enable, require and or create policy. And also in the Advanced Global let’s apply it to both IPv4 and IPv6. Remember at the end apply the policy. So now I can close it. Let’s verify it’s there. Settings. NRPT policies here so I can close it. Now I can switch to Windows 10 machine. And update. Wait until the computer policies’ updated. And verify NRPT policy.

Every time I will be asking for racoons.lab, it will enforce using the DNSSEC So, let’s try it. And as you can see without the DNSSEC switch I’m enforcing to use the racoons.lab.

What will happen if I lose a trustAnchor on SDC01?

Let’s try to remove the trustAnchors for the racoons.lab. Yes, let’s see what’s happening in the DNSSEC, in the DNS console. Refresh this one. And we have no trustAnchor currently. So let’s clear the cache. And let’s go to Windows 10 machine. Let’s see what will happen.

Okay, ipconfig / flushdns. Now let’s try to resolve this one. We are getting information about DNS error unsecure packet. Let’s try to do this on SDC01.

On SDC01, I’m getting the response without any problems, because I am not requesting for DNSSEC and I’m not validating it because there’s no NRPT policy for the domain controller. So, actually, right now without providing theDNSSEC I’m not asking for the DNSSEC. Let me get back the records. Otherwise, it will not be possible to get the responses on the Windows 10 machine because it’s required to be signed withDNSSEC.

I need to refresh. Okay. Let’s try to do it again. Probably on the cache on the server. SDC… Okay, let’s try to do it again. Just to be on the safe side, clear this one and let’s resolve. This time everything is working perfectly.

Now, if I will see that it’s not resolving properly because there is some DNS spoofing it will not allow me to get to racoons.lab website. Oh, it’s caching from Internet Explorer. Of course, refresh it and then we get the secure website.

Remember, if you want to protect your zones always use DNSsec for that. Otherwise, it is possible to spoof the DNS responses and it can redirect you to the not the site or not the server that you are expecting it.

]]>CQURE’s Top 3 Tutorialshttps://cqureacademy.com/blog/top-3-tutorials
Thu, 23 Nov 2017 17:36:42 +0000http://cqureacademy.com/?p=3253Server Message Block: SMB Relay Attack In this blog post we are going to discuss SMB Relay Attack. SMB Relay Attack is a type of attack which relies on NTLM Version 2 authentication that is normally used in the most of the companies. Unfortunately, when we are listening to what is going on in the […]

In this blog post we are going to discuss SMB Relay Attack. SMB Relay Attack is a type of attack which relies on NTLM Version 2 authentication that is normally used in the most of the companies. Unfortunately, when we are listening to what is going on in the network, we’re able to capture a certain part of the traffic related with the authentication and also relay it to the other servers.

Memory Dump Analysis – extracting juicy data

In this post I will show you how to perform memory dump and how to, by using different types of tools, extract information from the memory dump. It is fantastic to learn it in order to follow the incident response activities and also how to extract the information from the memory, so that we are able to get a little bit more insight about what was, or is, working in the operating system at that moment.

Microsoft Local Admin Password Solution (LAPS) – Deployment Steps

Local administrator’s passwords on servers and workstations are usually unmanaged or set up to be the same. In both cases, this is a mistake. In this tutorial you will learn how to manage centrally passwords and make sure that they are different on every computer in the enterprise. All for that if someone gets into one of the computers and steals local hashes, one is not capable to single-sign-on amongst other computers.

]]>Building A Perfect Sysmon Configuration Filehttps://cqureacademy.com/blog/server-monitoring/sysmon-configuration-file
Thu, 16 Nov 2017 15:37:16 +0000http://cqureacademy.com/?p=3237What does Sysmon have in store? You should see my screen right now. In order to be able to build a Sysmon configuration file, you need to first learn how to check what Sysmon has to offer. For example, if you go to Sysmon executable… Let’s open on this one… in the resource hacker. It’s […]

You should see my screen right now. In order to be able to build a Sysmon configuration file, you need to first learn how to check what Sysmon has to offer. For example, if you go to Sysmon executable… Let’s open on this one… in the resource hacker. It’s important to check how the manifest looks like, and the reason why it’s like this is that we need to verify what kind of possibilities we’ve got.

This is the newest Sysmon 6.10 and over here you can see the templates that define us different types of approach to logging.

This is what we’re going to have logged in the event log: file creation time change, of course, process tracking, process creation and process termination, network connection detected, driver loaded and things like that.

Every single time there is a new Sysmon version released, don’t worry. Probably you will not find that information quickly on the Internet, but that’s fine because here you are able to see what kind of stuff is added.

Within the new Sysmon, you’ve got a possibility here to monitor WMI event filter. And, as you see, there’s event consumer, event filter, ConsumerToFilter activity and so on. Plenty of the WMI queries… This is new… That is, for example, if you’ve got malware that uses WMI, if the WMI is modified, then you are able to see of course that kind of information in Sysmon.

Using names in the config file

Now, whenever we are thinking about playing with the creation of the rules, because this is how we operate with Sysmon, you might be wondering what kind of names we need to use in the config file to make it work. And the answer to that question is very simple. Over here, you’ve got names of rules, like “rule pipe event,” “rule WMI event,” and so on.

Then, based on that, you build your rules in the configuration file. This is a little bit of a cheat sheet … How things are called, how things are named.

Now, why we are talking about this?

Well, because… Let me have a look at the configuration file. If we do notepad config.xml file, this is the simplest possible config file we could have. For example, we’ve got Sysmon schema version 3.3, we can do 3.4, and for that certain moment, it doesn’t really make a difference. But, here you can see event filtering, and this is the place where we put these names on. For example, if we have here rule WMI event, then pretty much you are putting this particular entry over here.

Now, you can say that not everything that is in the manifest I just showed you is in my config file.

You don’t have to configure everything, you can only configure a couple of things. And, long story short, you are also able to say what would you like to have here. Either include certain events or exclude.

Network connect, for example, what is happening in my case, I am monitoring all of the types of events. Create a remote thread, in this particular case, I am only monitoring explorer, LSASS, services, svchost, Winlogon and stuff like that, yes? Raw access read, only excluding, of course, Sysmon and system, but the rest I’m monitoring. And of course things like process access, which is good for pass-the-hash, I am only including LSASS, yeah?

And in case of a FileCreate onmatch=”include,” I am not monitoring everything. So, I’m actually monitoring nothing here. So FileCreate onmatch=”include” means monitor nothing because I’m including nothing, which means, of course, nothing is monitored. So this is how we are working on this Sysmon file.

Now, question is, can I have it larger?

Can I play totally with what’s going on and specify that would like to only have certain processes that are not known monitored and so on?

Well, Sysmon isn’t really flexible over here… It’s fantastic but it’s not flexible. So, you need to work on your files. And, that’s why maybe it’s even good to get some examples.

I’ve got another configuration file over here if we do Notepad, and then we do Sysmon Swift. That is the configuration file that SwiftOnSecurity shares. It’s not the most up-to-date because it’s from July. But that’s alright… Well, there is a new version of Sysmon out there that is not included in the file. But it’s totally not important because you will know how to do that.

Process monitoring exclusion

Now, here what we can see is that we’ve got different types of processes mentioned that we don’t want to monitor. So we are, in this particular case, having ProcesCreate exclude… We’re excluding all the names of the processes of course that are known, which could potentially lead to a little bit of a problem because over here we’re specifying only the name.

Begin with, for example… Windows defender and so on. Could this be that malware will fit in, into these rules and, for example, be called as one of these files? The answer is yes.

But in general, the set is pretty good. So, we’ve got different other conditions over here. This is all about these processes. It’s actually a pretty big file.

Then we’ve got a file creation time and so on. We’re excluding, as you see, things like OneDrive and Setup and so on. So, all the classics that could affect file creation time at the end.

And things like the network. Over here, it’s actually a pretty interesting approach, so that you’ve got different types of options that are included over here. So we are excluding the rest but we’re interested in, for example, anything that is processed in the C:\users that tries to establish the network communication. Anything from C:\Windows\Temp and so on.

This is, in general, network connection established by different types of files that are not normally the ones that you use to establish a network connection. Within the legal configuration of the operating system.

Things like, of course, all destination port, so connections over certain ports. And, of course, we’ve got over here, different types of drivers loaded into the kernel.

And over here, well… the question is: do we want to monitor that or not? Or we want to monitor everything?

So as you can see DriverLoad onmatch=”exclude”, so we are not really excluding much. So Microsoft Windows, Intel, so different types of drivers of that kind we’re excluding, but anything else we are including.

This is the case. So we’ve got over here also raw disk access and so on. So there’s plenty of options how we are able to monitor Sysmon. This is the flow.

]]>An Important Discovery in Data Protection APIhttps://cqureacademy.com/blog/windows-internals/data-protection-api
Thu, 12 Oct 2017 10:46:03 +0000http://cqureacademy.com/?p=3146I am currently logged on as Freddy Krueger. This is the guy that’s going to be exporting certificate with the private key. It’s going to be SID protected. Let’s do it first so that we’ve got something to work on. I’m exporting the certificate. Next, export the private key. Great. First step: add another user […]

]]>I am currently logged on as Freddy Krueger. This is the guy that’s going to be exporting certificate with the private key. It’s going to be SID protected. Let’s do it first so that we’ve got something to work on.

I’m exporting the certificate. Next, export the private key. Great.

First step: add another user

Here we are specifying who we would like to add. For example, we can add over here another user. Only these users are allowed to get access to this particular certificate. So, blee and Freddy Krueger. Okay. No password for now.

This is the feature that is leveraging the Data Protection API NG, available since Windows Server 2012 R2.

Second step: specify the file name

Next we’re going to specify some file name. For example, we can name it here, for blee or for Freddy. Save.

The question for us will be: are we able to, at some point, get access to this file?

It’s actually funny to watch this because if we want to get access to this particular PFX file, then it actually fills up automatically a password over here that is coming from the format PFX and what it is all about.

Here it’s accepting password and we go.

If it is SID protected PFX at the end we are actually encrypting the password here. That’s something that we would like to get access to.

We’ve got this for Freddy Krueger. We can copy this certificate and we can put it on somewhere in our tools folder. We’re going to be working on this.

Freddy Krueger, bring it on!

Here on the Domain Controller, in order to be able to get access to something that we call KDS Bootkey that is necessary in the case of a data protection API to grab, first of all we need to get a Bootkey. We’re going to use and grab this with our newest version of CQSecretsDumper. Let’s grab this value and this is a D9A7DB and so on.

Over here I backed up myself. I made a copy of ntds.dit. You can use Shadow Copy could be an option and copy simply that file. That’s pretty much the only thing that we need.

We would also need SYSTEM registry hive because there is Bootkey, but because we are fetching the Bootkey, that’s really the only thing that we need over here.

Now we’re ready!

Having these two items, now we are ready to move forward and extract necessary information from the ntds.dit. At some point if you’re going to be doing Shadow Copy and something goes wrong with the integrity of ntds.dit, you can always use esentutl /r edb /d and that is basically something that will auto ask to recover the particular database. Just in case you were in trouble.

Now what we’re going to do? When we’ve got this information here, we can move on into CQNTDSDTDecryptor and we’re going to be grabbing from our ntds.dit that I also copied to CQTools already. We’re going to be extracting the KDSRootkey file and we’re going to put it into kds.dit, by providing an appropriate Bootkey.

When we run that, what we’re going to get over here are different types of KDS Rootkeys and one found. It’s 9EB9 is one and another one found is C16. Technically, there are not many of those, so you can try all of them. But, the point over here is that this particular decrypted master key is the one that we’re going to be using for access to the PFX file.

You will need CQURE’s tool

Let’s bring it on. For that purpose, we’re going to use our new tool, CQDPAPINGPFXDecrypter, so that’s going to be our tool. Let’s get into this one. It takes two parameters.

First of it, it takes pfx and in our case, it’s D:\Tools\CQ_tools\forfkrueger.pfx, so this is where we had that. Here we go.

Another one is master and this is where we put our file. Enter.

As you see, successfully decrypted password. Okay.

I’m super curious right now if this is something that’s going to work for that particular pfx file. Let’s find out.

For Freddy, Next. Next. And it asks me about the password, so I’m pasting the value that we got. Display password. That’s the value. Next. As you see, this is how we are able to decrypt those PFX files.

Data protection API is not that difficult

Where’s that difficulty? Well, difficulty basically is to reverse engineer Data Protection API NG and be aware how clients are actually getting access based on their SID to their PFX files. That’s the first thing, and that’s what we did.

Second thing is to, of course, extract the information so KDSRootkey from the domain. That’s not a big deal. The deal is how to use it.

If we have a look at the structure of the PFX file, you can do this as maybe a little bit of a homework, by using the ASN editor, you will see that it’s not the easiest structure and it’s really a matter of how we are leveraging the data that we’re able to export over here.

]]>SQL server securityhttps://cqureacademy.com/blog/secure-server/sql-server-security
Thu, 05 Oct 2017 17:06:23 +0000http://cqureacademy.com/?p=3120We’re going to talk about SQL Server networking security and focus on two deadly mistakes that are made by people who configure SQL Server in their enterprises. I’ve got with me Greg and Mike from CQURE Team. Greg is a specialist in enterprise security and Mike is a specialist in SQL Server and SQL Server […]

]]>We’re going to talk about SQL Server networking security and focus on two deadly mistakes that are made by people who configure SQL Server in their enterprises. I’ve got with me Greg and Mike from CQURE Team.

Greg is a specialist in enterprise security and Mike is a specialist in SQL Server and SQL Server security.

GREG: My perspective of SQL Server is just a service within the operating system. It uses some networking to communicate with the external parties. And I will try to cover this communication because we can spoof the communication. We can misconfigure protection of this communication. I will play more at network layer and hacking the network layer of SQL Server security communication.

MIKE: I will show 2 hacks: how to get username and password and how to bypass even most sophisticated protection inside the database. When you are sniffing TDS packets.

First hack: accessing SQL Server to get user data

Let’s start with the first hack. And, in this particular hack, we will be accessing our SQL Server and we will try to get SQL Server login, username and password, which is sent during the authentication of the user wide screening connection to the SQL Server.

Stand Up Management studio and I will connect to verify that I can do this and that I have a correct user to my database server. This is SQL02 and connecting from the Windows 10 machine. Let’s connect. Currently, I’m connecting as an admin and I’m using Windows integrated authentication. I have an SQL database, in which I have some tables, like customers and employees.

Let me go to the security setting and:

as you can see here, I have only “Charlie”.

I will create a new SQL login. It will be “Bob”.

SQL authentication with some password.

Okay. This time I created a Bob user and I can try to connect with this new login.

SQL authentication.

Let me switch to that Bob and try to connect.

It’s possible for me to connect to the Server. Remember that if we are working with two connections in a single SQL Server Management Studio, always verify on which connection you are currently working.

We have CQURE and I can expand it. You see that I’m currently signed-in here at the bottom as Bob to this CQURE database. I will disconnect.

To perform this hack I will use Kali Linux but it can be any system able to perform ARP spoofing and other attacks on the network.

I will be trying to listen the network traffic that is from the SQL server to the Windows 10 virtual machine and from Windows 10 to the SQL Server, so both ways.

Let me go and see what is the IP address of the virtual machine of Windows 10.

“ipconfig” and it is “10.1.1.101” and let me go to ping SQL02

This is 10.1.1.12, so this is the second IP address

“arp -a” will display information about the actual physical address of this computer that’s hosting the SQL Server.

And, of course, “ipconfig /all” is getting us the information about our physical address, so it’s this one.

To perform this network sniffing I will be using Kali Linux and here I have the console.

I will start performing ARP spoof, so it will be sending ARP responses to both machines saying that “okay, this is the client and the target machine”. This is the first one. Here I’m getting it in reverse format, so actually it’s the client and the second one is the server. So, I’m spoofing to the Server and to the Windows 10 client.

If I go back to Windows 10 machine and now I display “arp -a”, you’ll see that Linux machine and SQL02 has the same MAC address. So, I’m actually changing the IP address and the MAC address for this IP address and as you can see here, before it was actually different MAC address. So, it’s successfully ARP spoofing.

All the traffic that is going to the SQL02 will go actually to the Linux machine.

What can I do next?

I need to set up the “IP_forward” parameter. And the next part is to add an iptables pre-routing rule that will redirect the traffic going to the SQL02. It will be redirected to our local port 1433.

I’m going to make this rule and the next part is to use msfconsole. This is actually Metasploit. Of course, test can still connect to our SQL Server connect database engine as Bob. Try to connect. Now it’s not working because I’m ARP spoofing and redirecting actually with the IP tables the traffic to go directly to this KALI Linux machine.

Let’s go back to the KALI machine and type “workspace”.

I’m in default so “workspace -a” – let’s create a new workspace and this is just for demo.

I’m in the new workspace and now I can “search capture/mssql” for the module, which I need to use.

Let’s copy this one and paste it.

I’m using this auxiliary module for Metasploit and I need to “set SRVPORT 1433” to use a default port.

Now the last part is to just hit run. And it’s starting listening on local port 1433. Let’s try to do it.

Now I’ll try to connect here as Bob.

Failed.

Let’s go back to the Kali Linux and see what we have here.

We have Bob and plain text “Password” for this user!

I use the password to create a login on SQL server.

When I want to exit now I can switch to my iptables rule and disable it.

I’m disabling this rule right now. So, it’s not running anymore.

Right now I can connect to SQL02 because I’m using IP forwarding

I can disconnect it.

How I achieve this that I can grab this password?

Of course, the password is not sent in the plain text and if I start Wireshark, I enabled the TDS traffic sniffing.

Let’s try to connect as Charlie. And you see that I have pre login messages and nothing is there that I can see the password in it. Actually, it’s not sent in the plain text.

Import

What is happening when I’m using Metasploit? The Metasploit is starting a process which is listening on port 1433 and is saying that its very very old version of the SQL Server actually its SQL Server 2000 and it’s forcing the client, even the newest client 2016 or 2017 as Management Studio, to fall back to old authentication mechanism protocol and this is when the password is all almost sent in plain text.

It’s easy to get your password if it’s possible to spoof and redirect the traffic and to force your connection to fall back to old version.

Performing another type of the attack

Let me stop Wireshark. And now I will try to perform another type of the attack. It’s very similar to SQL injection. But this time it won’t be working as SQL injection directly. Let me show you one thing here: In TDS packets there is a plain text for the actual query. This is one of the queries that was executed on the SQL Server when the user connected with the Management Studio.

So, if it’s possible to get this query and to change the content of this query, it will be executed within the context of the login that is connected to the server. Let’s try to do it.

First, we need to capture… let’s say that I’ll be doing this as an admin, on CQURE database. I’ll be doing this query.

I’ll open it from the file.

I have it on the desktop.

This is a very simple query.

When I execute this query, it’s getting me the results at the bottom.

To do this attack I will run again the same query.

The filter for TDS on Wireshark.

“Continue without saving”

Now I’m waiting to capture some queries.

If I execute again I should see the same query SQL batch here. Thi is SELECT. I will copy the value of this field, so: “select custid”, “companyname”, “contactname address, city FROM customers”. Quite a simple query.

And, what I will do next.

I will use one of the scripts that are using Ettercap to capture the packets and then change the content of the TCP/IP packets and replace the content of it for (using regexp) to inject new query. The only thing to remember when you are trying to write this kind of script is that the TDS packets don’t have any checksum on the query itself but the TCP/IP packet has the checksum on the length of the data inside the packet.

So, the easiest way is to get a very long query – this one is not so long, but it’s enough to create a login named “hacker” with the password “password1”. And we just need to add just spaces at the end of the query to be the exactly same length as the query that we’re trying to replace.I will stop ARP spoof here on both ends. This script, which I have here, is also starting ARP spoofing by itself.

So, not to mess it up: this is the same query that I copied and if I hit enter, it’s creating a payload and it’s waiting for new queries. If the query’s different, for example, “select top 1”, it will not be replaced.

There is “SQL traffic” discovered, so we see that we are listening for it again. But until we have the same query executed again, nothing will happen.

“Found our string” and replace it.

You see in the SQL Server Management Studio, we do not see anymore the results for this query.

If I hit F5 again to execute the same query, I will get: “The Server principal ‘hacker’ already exists”. So, probably someone will notice it. The TDS packets after the first replacement.

I will exit it.

Let me go to Wireshark again.

I’m searching for this select. And of course, it was found in the data here. This is the same select which was replaced with this one.

Next, if I go to the logins and refresh, you will see that there is a hacker.

How can we protect ourselves? First of all, it is necessary to connect with options “encrypt connection”. When I select this “encrypt connection”, the connection to the database will be protected.

If I open the same file and execute it.

Of course, I need to turn on listening on Wireshark again. Let me switch there.

ARP spoofing.

Again, I should see in Wireshark the query that is executed. Let’s try to do this.

I’m refreshing.

This time I do not see any queries here. Why is that?

When I go to Wireshark to see that this time I’m starting the TLS exchange.

There is no information about any TDS packets here because they are encrypted.

I do not see the query that is sent there and the response.

The last thing is that in this connection options when it’s encrypting, we should disable this “trust server certificate” checkbox.

To do this, we actually should go to the SQL Server Configuration and on the Server Network Configuration force the encryption and use the appropriate certificate from the list.

So, when we enforce this one and use the proper certificate, we can safely connect to our server. Remember to verify that at the bottom of the Management Studio you see the padlock showing that there is an encrypted connection to the server.

Making personal attacks

GREG: After you saw two attacks performed by Mike, it’s the time for my attacks.

The first one will be very similar to Mike’s one, because it’s about forcing SQL Server client to use clear text and then grabbing this clear text authentication out of the wire. But I will use a different cheat to make server client connect to the SQL Server.

Instead of playing on the ARP level and physical address resolution, I will work on the level of name resolution in Windows, which is significantly higher in terms of the TCP/IP stack, which also makes the attack easier to be performed.

Here I have my client. I will try to ping some server.

“Ping sql3” and I have no SQL3 in my environment, so no one replied.

If we start to think about the name resolution (and how Windows client knows what is the IP address of SQL3), we have to go to the network properties > “ncpa.cpl” > properties of the interface > TCP/IP > Advanced > WINS and here you can see NetBIOS, which is used for name resolution.

We try to monitor the situation with Wireshark. If I launch Wireshark I can see if I can try to ping someone non-existing

“ping sql4” this time. You can see that there is a broadcast being sent across the network with the question who is the SQL4 for a guy in this network.

Of course, no one replied to this query.

My client returns information that the host cannot be found. And to spoof an identity of a different machine with work on this level with broadcasts, so I will create a process replying to such broadcasts saying I’m the one you are asking about.

Using other tools that help with the attack

I will use here the responder utility – “responder.exe”. Originally, it was a Python script but I’m using Windows version, which makes it even simpler to use by regular users. The responder is sending information about fake IP addresses. This is the one thing responder is doing. Another thing the responder is doing, which is really great, is acting like SQL Server, so you don’t have to use Metasploit or any other third party software. The responder itself emulates SQL Server in the way, which is enough for lowering down the authentication level and grabbing the input being sent by the client.

I will run responder.exe. It has a couple of parameters you can easily verify those with “-h”.

I will use the only one which is about the IP address to be spoofed.

The IP address of this machine is 192.168.1.200 so I will run responder “-i 192.168.1.200” and it simply starts.

Here you can see a bunch of servers being run by responder including SQL server.

Here I have the console.

I return to my machine now

I can ping “ipconfig /flushdns”.

I can try again with SQL4 and of course now responder sends his own IP address as the SQL4. It appears her. In the responder console you can see that the sql4 was sent to this poor victim as a poisoned answer. Having exactly the same situation and having running SQL Server emulator I can, for example, run all the ODBC configurations. Actually, any sequel Server client will work here.

I can add a new connection and the name will be “SQL1”.

I will connect to my SQL server machine. It doesn’t matter because responder responds any query, including this one.

If I click next, I can say I would like to authenticate against SQL Server with “sa” account and the password.

Next, and I can click okay.

If I switch back, I can see the message that the “previously captured hash for sa” was in the database because I tried it previously.

So, I can try with another password to make it visible.

Now it is connecting again.

I will try to see this and now… well… this is not what I intended, so I will break it and I will remove responder database. I will go to “logs,” I will remove everything.

I will run the responder again. Hoping this time it will grab the information from the SQL Server client. If I click next right now, I have a connection again.

I will return to my responder and now you can see the password was really captured (Secret123111), because SQL client tried to connect to my SQL Server with “sa” and this password.

This is another thing why I used the sa password, which is definitely not the best practice. But it is so common I can emulate it this way just to pay attention this is something you should really effort in your protection environment.

Second attack: performed with the SQL Server

It was the first attack. Very similar to Mike’s one. At the same time, a bit easier to be performed in practice.

Another attack, which can be performed with SQL Server or through SQL server is not the attack on the SQL Server, but this is an attack with the SQL Server. It relies on the fact that within the SQL Server (I have it here) we can configure multiple instances, so here you can see that I have installed two different SQL Servers running on the same machine – the SQL Server with a default or unnamed instance and with the named instance.

The named instance is running.

We go for the configuration

Here you can see the configuration of SQL Server services.

If I open “SQL Server (Instance 1)” under properties you can see that this particular Server, if you go for the network configuration > instance 1 and then TCP/IP, you can see > under IP addresses that there is no TCP port. It is how named instances are working in practice. Right now, this is the dynamic part.

But if I restart the server… if something happens… if I restart the Server, the TCP port may be totally different.

It is a kind of a nightmare for firewall management. But this is how SQL Server is working.

You can fix the port number and make it a constant one here. But by default, it’s very dynamic. So it is kind of issue for the SQL Server client how to connect to the proper TCP/IP port because at the very end the client must connect to the proper port.

And, on the SQL server machine, we have one very special service which is SQL Server Browser. SQL Server Browser is a kind of the librarian knowing about every single instance and then sending the information to the client. It’s kind of a directory.

So, if I run a SQL Server browser service, I will start it and I will see that the process ID is 4916. I can do “netstat -ano | findstr /i 4916,” you can see my 4916 process is listening on 1434. This is the default port. This is UDP port, on which browser listens to clients.

And it simply says if you want to connect to the instance named “instance 1,” the TCP port would be this and that. And after every single restart, he will have the right information in his database so it will send the client to the proper one.

At the same time please do remember it’s UDP based. So, if it’s UDP based, it may be attacked in multiple ways. Actually somewhat comparable to the way we attacked NetBIOS and the name resolution. Because UDP is relatively easy to send a packet saying it’s coming from a totally different source.

The purposes of using UDP

We can use it for two purposes – such possibility of having such attack. The first one is to send the packets to the poor victim acting as a victim, so let’s imagine I’m doing ping saying I am the host A, which is not true. But the reply of the ping will return to the host A because this is the source. We can do a very similar thing with the UDB packets.

And here with this particular service, another thing we can use is amplification.

Amplification means I can send a relatively small amount of data to this service and he will reply to me with something significantly bigger. And this is the thing of what I can do against this particular port.

I will show you github repository about mssqldos.py – it is a Python script. I will not run it right now, but this is the script sending packets to the SQL Server browser asking about some information and spoofing the identity of the asking party. So, the SQL Server browser will send back the answer. The answer will be significantly bigger and at the same time, it will be sent to the victim, to the one host identity which we have just spoofed. If we perform it in a proper scale, we can actually kill the performance or kill the bandwidth for this victim.

The conclusion is: please do not expose SQL Server browser to untrusted that hosts especially if it’s about a large number of them. We can find some SQL Server browser exposed to the internet, which is not the smartest thing I definitely can imagine. Those may be used for attacking other victims.

Please care about your 1434 and about you SQL Server browser.

You can remove SQL Server browser totally – configuring your SQL Server clients with the proper port number. If you do not use named instances, you also do not have to use SQL Server browser. So SQL Server browser is very handy and very comfortable thing, but at the same time if you are security oriented, you can skip it. You can skip using it because it makes your environment a bit unsafe. But the management is significantly more complicated in such environment. It’s up to you.

As you saw, we had a couple attacks on the SQL Server, the one that Mike presented to you and those I tried to do on my own and misusing SQL Server protocol to attack some innocent victims.

All those ways can be limited and managed. And in a properly configured environment, no single attack like we presented should be in practice.

Fingers crossed for your SQL Server and please: do not be scared with the SQL servers because it’s a server like any other, maybe a bit more complicated, but at the same time, in terms of communication, it’s nothing really more complex.

]]>The hacker playbook: How to think and act like a cybercriminal to reduce risk (notes from Microsoft Ignite 2017)https://cqureacademy.com/ignite/the-hacker-playbook
Sat, 30 Sep 2017 14:30:56 +0000http://cqureacademy.com/?p=854Slide deck from my session at Microsoft Ignite 2017: “The hacker playbook: How to think and act like a cybercriminal to reduce risk” Tools from the session Here you can find the most important tools I used during the session! >> Get the tools from this session << Session Summary Thank you for attending the Microsoft […]

Windows Indexing Service is in C:\ProgramData\Microsoft\Search\Data\Applications\Windows, in our case we need to go to the same folder but from c:\shadowcopy created earlier:C:\shadowcopy\ProgramData\Microsoft\Search\Data\Applications\Windows

]]>Adventures in the Underland: Is encryption solid as a rock or a handful of dust?https://cqureacademy.com/ignite/adventures-in-underland
Fri, 29 Sep 2017 14:16:19 +0000http://cqureacademy.com/?p=3095Slide deck from my session at Microsoft Ignite 2017: “Adventures in the Underland: Is encryption solid as a rock or a handful of dust?” Tools from the session Here you can find the most important tools I used during the session! >> Get the tools from this session << 3 key summary points from the session: […]